Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

streamfwd SSL decryption error (DSSL library error code -41)

ekremikizoglu
Explorer
‎10-18-2016 04:45 AM

Hi,

I am testing "App For Stream" App(6.6.1) to capture https traffics. I added pem file to keystore.db as descr. belowlink
http://docs.splunk.com/Documentation/StreamApp/6.6.1/DeployStreamApp/EnableSSLforStreamForwarder

But i am getting errors in streamfwd.log. (DSSL library error code -41)

Error line:
2016-10-17 17:37:02 WARN 11592 stream.SnifferReactor - SSL decryption error (DSSL library error code -41) (ssl) [c=yyyyyyy:61914, s=xxxxxx:8282]

Anyone can help me?

Thanks

0 Karma
Reply

ekremikizoglu
Explorer
‎11-29-2016 12:27 AM

Hi,

The issue appears to be caused by the Extended Master Secret Key extension (https://tools.ietf.org/html/rfc7627) being negotiated between the client and the server. Stream currently doesn't support this extension, so the workaround would be to turn it off on the server side.

Thanks.

0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎10-18-2016 07:29 PM

Hi @ekremikizoglu,

This is a rather rare error - it basically indicates a symmetric decryption failure. Do you happen to know what TLS version/cipher suite is been negotiated? (you can use Stream to track it by capturing tcp traffic and enabling ssl_cipher_name and/or ssl_cipher_id fields)

0 Karma
Reply

ekremikizoglu
Explorer
‎10-26-2016 08:21 AM

Hi,

I generated this certificate on iis server ,Self signed TLS1.2 RSA AES_256_GCM, for testing decription feature of stream app. I published website and enable ssl communication. Then i installed splunk to capture https traffic. But i got the error.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...